Anatomy of Credit card Numbers

Full text

(1)

Anatomy of Credit card

Numbers

Hitesh Malviya

(Information Security analyst)

CEO at HCF Infosec Limited

Web:

www.hiteshmalviya.in

www.hitesh.hcf.co.in

Email:

hitesh@hcf.co.in

hmalviya9@gmail.com

Biography of Author:

Hitesh Malviya is a renowned security researcher and evangelist. His

expertise includes computer and network security, exploit research, python programming, computer forensics, website designing,

compliance and e-Governance. He is the author of the books –

“Hackdecoders-Official guide to

greyhat hacking(part-1)” and

“Hackdecoders-Official guide to

greyhat hacking(part-2)”, both up for

worldwide release in mid 2012.

Hitesh is a nationally acclaimed speaker and has spoken in dozens of seminars & workshops countrywide. He has trained more then 500+

students and having rich experience of ethical hacking training. He has also conducted workshops and corporate trainings around the nation apart from his speaking engagements.

He has found serious vulnerabilities in Top social networking websites orkut and facebook. He is continuously working in field of cyber security to secure most Indian domain websites. Presently, Hitesh Malviya is working with HCF Infosec Limited as Chief executive officer and with RRN Technologies as Penetration tester.

(2)

security community as the founder of Hindustan cyber force , a computer security education portal. Hindustan cyber force was former Indian no. #1 Ethical hacking forum as per alexa ranking and number of members. It was considered one of top sites for security education. Hitesh’s tutorials on Python Programming, Buffer Overflows, and Metasploit etc. have received thousands of views and hundreds of appreciating comments from the community. The site also includes Tutorials from other security researchers.

Research work & Publications:

(1)White paper on Cloud computing overview & security issues:

http://packetstormsecurity.org/files/10 8747/cloud-computing.pdf

(2)White paper on Common Security vulnerabilities in online payment system:

http://packetstormsecurity.org/files/10 8823/common-vulnerabilities.pdf

(3)White paper on How secure is contactless smartcard technology:

http://packetstormsecurity.org/files/do

wnload/111407/howsecure-smartcard.pdf

Abstract

Credit card is a small plastic card issued to users as a system for payment. They can by goodies by credit card details online. Luhn’s formula is used for generation of valid credit card number. Various programs and scripts are also available online for generating valid credit card numbers. We will also discuss techniques used by attackers in credit card hacking.

Keywords: Credit card, Luhn’s

formula, fake name generator, Credit card generator

(3)

Introduction

Credit card is a small size plastic card issued to users as a system for

payment. They can purchase any goodies by using credit card details.

Specifications for credit card

numbering have been drawn up by the International Standards Organization (ISO/IEC 7812-1:1993) and the

American National Standards Institute (ANSI X4.13).

Major Industry Identifier

The first digit of your credit card number is the Major Industry Identifier (MII), which represents the category of entity which issued your credit card. Different MII digits represent the following issuer categories:

MII Digit

Value Issuer Category 0 ISO/TC 68 and other industry

assignments 1 Airlines

2 Airlines and other industry assignments

3 Travel and entertainment 4 Banking and financial 5 Banking and financial 6 Merchandizing and banking 7 Petroleum

8 Telecommunications and other industry assignments

9 National assignment

Issuer Identifier

The first 6 digits of your credit card number (including the initial MII digit) form the issuer identifier. This means that the total number of possible issuers is a million (10 raised to the sixth power, or 1,000,000).

Some of the better known issuer identifiers are listed in the following table: Issuer Identifier Card Number Length Diner's Club/Carte Blanche 300xxx-305xxx, 36xxxx, 38xxxx 14

(4)

American Express 34xxxx, 37xxxx 15 VISA 4xxxxx 13, 16 MasterCard 51xxxx-55xxxx 16 Discover 6011xx 16

If the MII digit is 9, then the next three digits of the issuer identifier are the 3-digit country codes defined in ISO 3166, and the remaining final two digits of the issuer identifier can be defined by the national standards body of the specified country in whatever way it wishes.

Account Number

Digits 7 to (n - 1) of your credit card

number are your individual account identifier. The maximum length of a credit card number is 19 digits. Since the initial 6 digits of a credit card number are the issuer identifier, and the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits. Each issuer therefore has a trillion (10 raised to the 12th power, or 1,000,000,000,000) possible account numbers.

Check Digit(Luhn’s formula)

The final digit of your credit card number is a check digit, akin to a

checksum. The algorithm used to arrive at the proper check digit is called the Luhn algorithm, after IBM scientist Hans Peter Luhn.

"For a card with an even number of digits, double every odd numbered digit and subtract 9 if the product is greater than 9. Add up all the even digits as well as the doubled-odd digits, and the result must be a multiple of 10 or it's not a valid card. If the card has an odd number of digits, perform the same addition doubling the even numbered digits instead."

Examples:

4408 0412 3456 7890

The first credit card offer showed a picture of a card with the number 4408 0412 3456 7890.

The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 440804 (a VISA partner), the account number is 123456789, and the check digit is 0.

Let's apply the Luhn check to 4408 0412 3456 7890. In the following table,

• The top row is the original number.

• In the second row, we multiply alternate digits by 2. Don't multiply the check digit by 2.

(5)

• In the third row, we force all digits to be less than 10, by subtracting 9 where necessary.

• The bottom row contains the digits to be added together.

4 4 0 8 0 4 1 2 3 4 5 6 7 8 9 0 4 x 2 = 8 4 0 x 2 = 0 8 0 x 2 = 0 4 1 x 2 = 2 2 3 x 2 = 6 4 5 x 2 = 10 6 7 x 2 = 14 8 9 x 2 = 18 0 8 4 0 8 0 4 2 2 6 4 10 - 9 = 1 6 14 - 9 = 5 8 18 - 9 = 9 0 8 4 0 8 0 4 2 2 6 4 1 6 5 8 9 0

If we add all of the digits in the bottom row together, we get 67, which is not a multiple of 10, and therefore we

conclude that the number 4408 0412 3456 7890 is an invalid credit card number.

By changing the check digit from 0 to 3, we arrive at the number 4408 0412 3456 7893, which does pass the Luhn check, since the sum of the digits in the bottom row would be 70, which is divisible by 10. 4408 0412 3456 7893 is, on the face of it, a valid credit card number.

4417 1234 5678 9112

The second credit card offer showed a picture of a card with the number 4417 1234 5678 9112.

The Major Industry Identifier (MII) is 4 (banking and financial), the issuer

identifier is 441712 (a VISA partner), the account number is 345678911, and the check digit is 2.

Let's apply the Luhn check to 4417 1234 5678 9112, as we did in the previous example. 4 4 1 7 1 2 3 4 5 6 7 8 9 1 1 2 4 x 2 = 8 4 1 x 2 = 2 7 1 x 2 = 2 2 3 x 2 = 6 4 5 x 2 = 10 6 7 x 2 = 14 8 9 x 2 = 18 1 1 x 2 = 2 2 8 4 2 7 2 2 6 4 10 - 9 = 1 6 14 - 9 = 5 8 18 - 9 = 9 1 2 2 8 4 2 7 2 2 6 4 1 6 5 8 9 1 2 2

If we add all of the digits in the bottom row together, we get 69, which is not a multiple of 10, and therefore we

conclude that the number 4417 1234 5678 9112 is an invalid credit card number.

By changing the check digit from 2 to 3, we arrive at the number 4417 1234 5678 9113, which does pass the Luhn check, since the sum of the digits in the bottom row would be 70, which is divisible by 10. 4417 1234 5678 9113 is, on the face of it, a valid credit card number.

(6)

Credit card number generator

Command line Python program, Java program, C# program, PHP script, and JavaScript script to generate valid (MOD 10) credit card numbers. Useful for testing e-commerce sites should run on any platform. This generates 13 and 16 digit VISA, Mastercard, Amex, and a whole bunch of others.

Java source code for credit card number generator:

Java Source Code

The following simple Java class is free for you to use as you wish, without any restrictions or guarantees.

//---

// Checks for valid credit card number using Luhn algorithm

//---

public abstract class LuhnCheck { //--- // Filter out non-digit characters //--- private static String

getDigitsOnly (String s) {

StringBuffer digitsOnly = new StringBuffer ();

char c;

for (int i = 0; i < s.length (); i++) { c = s.charAt (i); if (Character.isDigit (c)) { digitsOnly.append (c); } } return digitsOnly.toString (); } //--- // Perform Luhn check //---

public static boolean isValid (String cardNumber) { String digitsOnly = getDigitsOnly (cardNumber); int sum = 0; int digit = 0; int addend = 0;

boolean timesTwo = false; for (int i = digitsOnly.length () - 1; i >= 0; i--) { digit = Integer.parseInt (digitsOnly.substring (i, i + 1)); if (timesTwo) { addend = digit * 2; if (addend > 9) { addend -= 9; } } else { addend = digit; } sum += addend; timesTwo = !timesTwo; }

int modulus = sum % 10; return modulus == 0; }

//--- // Test //---

public static void main (String[] args) { String cardNumber = "4408 0412 3456 7890"; boolean valid = LuhnCheck.isValid (cardNumber); System.out.println (cardNumber + ": " + valid); cardNumber = "4408 0412 3456 7893"; valid = LuhnCheck.isValid (cardNumber); System.out.println (cardNumber + ": " + valid); cardNumber = "4417 1234 5678 9112";

(7)

valid = LuhnCheck.isValid (cardNumber); System.out.println (cardNumber + ": " + valid); cardNumber = "4417 1234 5678 9113"; valid = LuhnCheck.isValid (cardNumber); System.out.println (cardNumber + ": " + valid); } }

Fake name Generator

If you want to go one step further and generate a whole test identity, try the Fake Name generator. It makes use of this credit card generator, and adds a lot of other identity data.

http://www.fakenamegenerator.com/

This is the website for which you were looking for. It creates fake identity of any person with identification details & credit card details can be used in credit card frauds.

Here is one of fake identity generated by this website. These details can be used in committing credit card frauds.

Summary

Credit card is a small size plastic card issued to users as a system for payment. The algorithm used to arrive at the proper check digit is called the Luhn algorithm, after IBM scientist Hans Peter Luhn. Fake Name generator makes a whole test identity to make use of credit card generator.

(8)

References:

(1)http://www.asis.org/Features/Pionee rs/luhn.htm (2)http://www.phrack.org/show.php?p =47&a=8 (3)http://en.wikipedia.org/wiki/Credit_ card

Figure

Updating...

References

Updating...

Related subjects :